cPanel Password Security

[baffinsabino]

WHMCS appears to store all our customer cPanel passwords in a retreivable way (basically plaintext), because it shows that to us as an admin user. This seems very insecure. All of our customer cpanel accounts (that were purchased through WHMCS) have just been compromised and had phising pages/email take over them. Accounts that didn't use WHMCS (created manually for example) weren't compromised.

• How can this be prevented in future?
• Where are the passwords stored and how can we ensure this is secure?
• Are they accessible by plugins?

 

Obvious first steps:

• Secure admin account(s) with secure password (unique, random, long),
• Reset cPanel accounts to something secure (unique, random, long),
• Don't store passwords in WHMCS (customer cpanel login seems to work fine without it).

[penguin]

> How can this be prevented in future?

My question would be how was your WHMCS installation compromised? If they had access to either your database or WHMCS admin access then encrypted passwords is the least of your worries as you would still have full access to everything else - an encrypted password with an WHMCS admin exploit would still allow someone access to the hosting accounts via single sign on, password reset, etc. You need to determine how this happened from a WHMCS perspective and secure this accordingly.

[WHMCS John]

Hi @baffinsabino,

All passwords are encrypted in the WHMCS database. For service passwords, you can confirm this by reviewing the tblhosting.password field.

[penguin]

cPanel passwords are visible in plain text under the username field when viewing the product details, which is where I assume the issue has arisen from. My previous comment still stands though - someone shouldn't have got that far anyway so the root cause of that access needs to be determined.

[baffinsabino]

We had to totally nuke the WHMCS install. Fresh download from trusted source and start from scratch. Imported database over via sql. 

Did you have any addons/plugins/modules? We had a few themes and domain registrar plugin. We haven't reinstalled these and so far there's not been any further phishing.

Changing passwords and even two factor auth didn't help, so we think it had to be a plugin. 

[baffinsabino]

10 hours ago, rarija said:

Thank you @baffinsabino for your comment,

we dont have any clue of what happens, we have add ons and modules, we will start from a fres whmcs install

thanks!

 

 

It's super frustrating and we're feeling the consequences months later. Our ssl certs just failed to renew and it seems to be because Google was telling comodo we have malicious content (even though it was all cleaned months ago). 

 

It's a nightmare. Our modules were from the WHMCS marketplace, so looks like we'll have to avoid that in future.

[brian!]

16 hours ago, baffinsabino said:

It's a nightmare. Our modules were from the WHMCS marketplace, so looks like we'll have to avoid that in future.

why avoid it? WHMCS make no coding checks on the modules listed in Marketplace (and they don't claim to), so it's just a convenient directory of links to third-party developers of modules that you purchase at your own risk - there's no difference between getting a module listed in Marketplace, or finding an addon via Google... as soon as users understand that, and visit there with their eyes wide open, the better it will be for them.

the golden rules to follow are:-

1. only install third-party addons when absolutely necessary.
2. obtain them from trusted developers.
3. if a developer gives poor support, post a review in Marketplace to warn others - more so, if you believe a module has caused a security issue.
4. don't update WHMCS until you know there are updates available for all installed addons.

WHMCS are not going to be able to resolve this situation, so the market will decide and the more true reviews there are posted on Marketplace, the better it will be for everyone.

[string]

@rarija @baffinsabino

Probably it would be a good idea if you compare (via PM) which modules you have installed. This could give hints to the module that may have caused the problem.

The common way would be to check the webserver access logs so you should be able to find out what happened. 

The installation of a WAF (Web Application Firewall) and IDS, especially for such critical systems like WHMCS, is quite recommendable. At least a large part of the common attacks can be detected and prevented with that.

[baffinsabino]

I am PMing rarija with my addons to see if any are the same as theirs.

I also feel like it reflects poorly on WHMCS when highly rated modules (didn't install anything else) are causing issues. Not sure what the solution is, but it'll be a while before we want to try modules again knowing that we're basically handing our customers to each and every module developer.

[brian!]

23 hours ago, rarija said:

i understand what you meant about WHMCS not being responsible, that's true, but still they are looking bad for WHMCS, which is a great system.

the point I was really making was that you should be careful with ALL software that you install - that includes the core WHMCS program, updates from WHMCS, third-party addons... and even the code that's posted here in the Community!

the sad truth is that too many users are naive and blindly install WHMCS updates (which almost certainly won't have been thoroughly tested before release), or choosing to buy addons from MP links in the mistaken understanding that Marketplace is something that it isn't.

23 hours ago, rarija said:

we develop mobile apps, when you upload an app to any store the code is checked, more on apple, they charge an annual membrecy for that to the developers which is fair to make the market secure, which doesn't happen in WHMCS, just an opinion, 

I get the idea and see the benefits, but Marketplace isn't a store (in the Apple/Google sense) and you aren't downloading from WHMCS - to replicate the store in the sense you mean, would require all WHMCS developers to regularly submit their code to WHMCS (let's ignore for now that WHMCS can't even ensure their own code to work correctly, let alone checking the code of outside developers!); WHMCS would have to host the files and effectively handle sales on behalf of the developer... i'm not even going to waste time going further down the requirements that would be needed (as some were mentioned in the other thread), as it's never going to happen.... the "good" developers almost certainly wouldn't want to do that and the "bad" developers certainly wouldn't want it...